Helpful ReplyHot!ERR_SSL_PROTOCOL_ERROR on Google Chrome

Page: 12 > Showing page 1 of 2
Author
sforbus@atljewishacademy.org
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/08 10:48:00
  • Status: offline
2019/08/13 08:40:20 (permalink)
0

ERR_SSL_PROTOCOL_ERROR on Google Chrome

We are having a bizarre problem since updating to 6.2.1 (we updated due to a memory leak issue in 6.2.0).
 
Certain sites are giving us a ERR_SSL_PROTOCOL_ERROR only in Google Chrome. I have tried all the usual troubleshooting for this error, but the only thing that fixes it is restarting the fortigate. Two sites (facebook.com and login.renweb.com) both use TLS 1.3, but we can get to facebook without a problem and we cannot get to the other site. After rebooting the device, it works for several days and then starts behaving poorly again.
 
Other browsers work fine, including Internet Explorer, Edge (not Chromium based) and Firefox.
 
I have attempted to disable SSL certificate inspection, but that does not seem to affect the problem one way or another. I also tried putting the fortigate back on its factory certificate.
 
My next step will be to revert to 6.0 branch, where I did not experience this issue, but I figured I would post first to see if anyone had similar experiences.
 
#1
dxnet
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/19 23:18:08
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/08/19 23:26:32 (permalink)
0
Firmware 6.2.1 I have similar error, cant open https://www.whatsapp.com/ in Google Chrome, in IE works.
I add exempt for ssl inspection (wildcard *.whatsapp.com), but it doesn't work. whatsapp in chrome works only ssl deep inspection is disabled
post edited by dxnet - 2019/08/19 23:52:10
#2
sforbus@atljewishacademy.org
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/08 10:48:00
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/08/20 04:19:36 (permalink)
0
I have solved the problem by downgrading back to 6.0.5, I believe. It has been a couple of days and this problem has not resurfaced. I will see if it happens again.
#3
bbilut
New Member
  • Total Posts : 16
  • Scores: 2
  • Reward points: 0
  • Joined: 2019/07/29 07:01:03
  • Location: Chicago Area
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/08/20 05:23:32 (permalink)
0
Have you tried disabling QUIC protocol in Chrome?
#4
dxnet
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/19 23:18:08
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/08/21 02:37:58 (permalink)
0
I tried to disable QUIC, but it doesn't resolve problem
also doesn't work https://serverfault.com/ and I add exempt for ssl inspection *.serverfault.com too
And I noticed that I can't open this sites in Mozilla too.
Works only in ie, edge
#5
dxnet
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/19 23:18:08
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/08/24 02:07:50 (permalink)
0
So, I've solved the problem by downgrrading back to 6.2.0 (build 0866), ssl in Chrome works on all sites, where I had problem. (whatsapp.comhttps://serverfault.com)
#6
kingD
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/30 07:53:05
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/08/30 07:58:28 (permalink)
0
I configured an url filtering that works only with IE.
Chroom lets all the https traffic pass
#7
marcrp
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/30 08:55:39
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/08/30 08:58:47 (permalink)
0
We are experiencing the same issue too since upgrading to 6.2.1.
 
Although for us it seems to be only affecting IE11 and we randomly get the error "Can’t connect securely to this page" "Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to"
 
The only work around is to create a rule with no AV inspection and put the site we are having issues with as the destination and it seems to work. 
 
I think I will be reverting to 6.2.0 as I have so many random sites that aren't working for us.
 
 
#8
seadave
Expert Member
  • Total Posts : 341
  • Scores: 50
  • Reward points: 0
  • Joined: 2004/11/03 18:02:09
  • Location: Seattle, WA
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/08/31 19:45:11 (permalink)
4 (1)
TLS 1.3 is a different beast.  Can't tell from the bottom of this page if MiTM TLS 1.3 is only supported in Flow Based inspection or also in Proxy mode (which most people use).  You may need to change from proxy to flow.
 
https://docs.fortinet.com/document/fortigate/6.2.0/new-features/35927/tls-1-3-support
 
One other issue we ran into when doing major version upgrades is to ensure your CA cert used for MiTM is not using a weak signing algorithm such as SHA1.  Make sure you generate a self signed one that is at least 2048bits using SHA256 if RSA and 384bits if using ECDHE.
 
We have found some domains that use HSTS (cert pining), those will not accept a connection that is broken by a proxy.  We had to create a rule to exempt such domains from filtering if they were legitimate for business.
 
Finally, I wouldn't be using 6.2.X in production yet and I'd only use it on devices bigger than E series with a model number greater than 100.  Other models are prone to fault due to minimal RAM and CPU resources.  6.2 is still very new.  We are running 6.0.5 in production and it has proven to be very stable on 501Es
post edited by seadave - 2019/08/31 19:56:27
#9
GregAndo
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/02 21:56:24
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/09/02 22:00:48 (permalink)
0
Things were going okay, but now we are beginning to see this too after having run for a few days.  I am not sure how far reaching it is, but, ironically, it is affecting my ability to log into the FortiGate web interfaces of my fleet, which are a mix of 6.0 and 6.2.1
 
Has anyone been able to isolate the cause?  What about a temporary resolution that doesn't require a reboot?
#10
tracyb
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/02 21:01:57
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/09/03 13:44:08 (permalink)
0
I just posted “Weak impersonation certificates blocking access to sites using ECC certificates”, then saw this post.  The two are possibly related.
#11
GregAndo
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/02 21:56:24
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/09/03 18:35:24 (permalink)
0
Okay, I have been digging into this a little more and I think I have some leads.  Seadave is on point with proxy vs flow mode in my testing.  I found that AV, certificate settings, or any other security profiles made no difference being enabled or disabled.  I am interested to hear from anyone who has a situation different to this.  I expect to be affected, you will need to be using:
 
- Proxy mode in the policy
- HTTP proxy in the proxy profile (on port 80 in my case which is confusing for a secure site?)
 
Since you can now choose Flow Based vs Proxy on a per policy level now in 6.2 - you have a couple of work around options.
 
1. When the issue starts occurring, access the device CLI and execute the following command to restart the proxy service:
 
diagnose test application wad 99
 
I ran this command in the middle of the day without noticing any problems, but use this at your own risk!
 
2. Reboot the firewall
3. Create a new copy of the policy above the affected policy, targeting affected destination websites IP addresses (least impact on security, but a pain to manage).  Set this policy to flow mode or use a proxy policy that has HTTP proxy disabled.
4. Create a new policy using a proxy policy that has HTTP disabled and apply this to the proxy settings on the affected firewall policy.
5. Change the policy from proxy to flow mode.
 
Obviously you will need to consider how the reduction in protection affects your risk, and don't forget to change back after the issue is resolved in a future firmware update.  Hope this helps.
 
We are pushing on this because we really want to leverage new features in 6.2 - Please fix this soon FortiNet!
 
Hope this helps, please consider giving me a vote if you found this useful!
 
post edited by GregAndo - 2019/09/04 17:00:50
#12
riyasander
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/10/03 00:16:05
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/10/03 00:20:50 (permalink)
0
Mostly this error occurs due to the server issues and a lack of client authentication. There are some other reasons for ERR_SSL_PROTOCOL_ERROR on Google Chrome and you can fix this with https://www.clickssl.net/blog/fix-err_ssl_protocol_error-for-google-chrome this guide.
#13
mjcrevier
New Member
  • Total Posts : 18
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/04/28 18:04:36
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/10/03 10:44:44 (permalink)
0
You're running into a bug related to the SSL handshake & certificate-inspection profile when policy is set to proxy mode. Switch to flow-based inspection for now. Hoping this bug is fixed in 6.2.2.
#14
mp_na
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/06 13:31:03
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/10/10 07:09:05 (permalink)
0
I've had similar issues since my rollup.
 
All Chrome and Chromebooks broke.
 
My resolution:
 
I rebuilt all of the SSL inspection exemptions and web filter exemptions adding these links:
 
https://support.google.com/chrome/a/answer/3504942?hl=en
#15
Jirka
Gold Member
  • Total Posts : 156
  • Scores: 5
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2020/01/02 14:52:48 (permalink)
0
Hello,
 
i have the same problem on 6.2.3.
I am unable to display the blocked https page correctly. In Chrome it ends with an "ERR_CONNECTION_RESET" error. HTTP queries work correctly.
I have set up cert-inspection, flow policy and use only the FortiGuard category. In the profile configuration I tried to disable https redirect - set https-replacemsg disable, but I think the problem will be elsewhere.
 
IE reports the error message:
This page cannot be securely connected
This may be because your site is using outdated or unsafe TLS security settings. If the problem recurs, try contacting the site owner.
 
Has anyone solved this problem?
Thanks.
Jirka
#16
Jirka
Gold Member
  • Total Posts : 156
  • Scores: 5
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2020/01/06 01:15:10 (permalink)
0
Hello,
anybody?

Jirka
#17
ShawnZA
Bronze Member
  • Total Posts : 52
  • Scores: 7
  • Reward points: 0
  • Joined: 2018/04/02 23:31:22
  • Location: Cape Town
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2020/01/06 23:59:19 (permalink)
0
6.2.2 is very buggy, have it running on 5 production firewalls, 300D, 100E HA cluster and a few 60E's.
 
We got that error often, not doing deep SSH inspection, just cert inspection.
 
I changed most of the browsing policies to flow mode from proxy mode, error gone after that. (Had to re-create most browsing policies and deleted to old ones, some I could change to flow with no issues and some policies had to be recreated.)
 
 
#18
Jirka
Gold Member
  • Total Posts : 156
  • Scores: 5
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2020/01/07 00:20:03 (permalink)
0
Hello,

but i have 6.2.3. Everything else works stably and great-except webfiltering. If I create a static URL list it also works ok. The problem only affects FortiGuard webfilter.

Jirka
#19
ShawnZA
Bronze Member
  • Total Posts : 52
  • Scores: 7
  • Reward points: 0
  • Joined: 2018/04/02 23:31:22
  • Location: Cape Town
  • Status: offline
Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2020/01/07 00:26:59 (permalink) ☄ Helpfulby Michael. 2020/01/07 11:29:17
0
Yeah all 6.2.* versions are full of bugs.
We get the SSL error while accessing allowed sites.
Are your policy set to proxy mode or flow mode?
#20
Page: 12 > Showing page 1 of 2
Jump to:
© 2020 APG vNext Commercial Version 5.5